research

Note: Incomplete; more will be added later.

OR’LYEH? The Shadow over Firefox

The Mozilla Firefox browser has a new garbage collection (GC) implementation
for its JavaScript engine (SpiderMonkey) since version 32. This new GC algorithm
has introduced significant changes to the way that Firefox’s heap is organized.
The GC heap is now divided into two layers; a first layer for short-lived
objects, called the ‘nursery’, and a second layer for objects that survived
a GC pass in the nursery, called the ‘tenured’ heap. Apart from these two, the
latest version of Firefox continues to use jemalloc (on all its supported platforms)
for SpiderMonkey metadata and GC heap objects that fit certain criteria. These
changes directly affect the way that the browser’s heap can be manipulated towards
states that aid in the exploitation of heap vulnerabilities.

In this talk we will expand upon previous work we have published on jemalloc heap
exploitation approaches and primitives for Firefox, taking into account its new
GC heap implementation. The presentation will demonstrate a major upgrade of our
‘unmask_jemalloc’ Firefox heap exploration utility with new features, and support
for Windows (and the WinDbg debugger). The new version of unmask_jemalloc, named
‘shadow’, will of course be released as open source along with the talk.

Project Heapbleed

Heap related bugs (such as buffer overflows, use-after-frees, dangling/stale
pointers, double frees) leading to corruptions of virtual memory and vulnerable
conditions, constitute the most common type of memory corruption bugs. The
exploitation of heap vulnerabilities is a process that requires a lot of time and
effort. It requires meticulous understanding of the underlying heap allocator; its
data structures (metadata) and its allocation/deallocation algorithms. It requires
understanding of how the target application uses the API provided by the heap
allocator to manage dynamic memory and the allocation patterns that emerge due
to this use. It also requires understanding of the application-specific data and
how/where these are placed on the heap. Finally, it requires studying of the way
the user can influence the application and use its provided functionality to
control its heap as reliably as possible with the goal to create conditions aiding
exploitation. All these must be viewed in the context of complicated bugs, since
low-hanging fruits are scarce, and the vendors’ adoption of increasingly
sophisticated exploitation mitigation technologies. We argue that although the
details between the different heap allocators, target applications and bugs at hand
obviously vary, the heap exploitation methodologies that have been formed by
practical experience can be abstracted to reusable primitives that can be applied
to new targets. Project Heapbleed is our attempt to define, clearly articulate,
categorize and where applicable implement these primitives, aiming to provide a
practical reusable heap exploitation toolset.

Exploiting the jemalloc Memory Allocator: Owning Firefox’s Heap

— with Chariton Karamitas

jemalloc is a userland memory allocator that is being increasingly adopted
by software projects as a high performance heap manager. It is used in
Mozilla Firefox for the Windows, Mac OS X and Linux platforms, and as the
default system allocator on the FreeBSD and NetBSD operating systems.
Facebook also uses jemalloc in various components to handle the load of its
web services. However, despite such widespread use, there is no work on the
exploitation of jemalloc.

Our research addresses this. We will begin by examining the architecture of
the jemalloc heap manager and its internal concepts, while focusing on
identifying possible attack vectors. jemalloc does not utilize concepts such
as unlinking or frontlinking that have been used extensively in the past
to undermine the security of other allocators. Therefore, we will develop
novel exploitation approaches and primitives that can be used to attack
jemalloc heap corruption vulnerabilities. As a case study, we will investigate
Mozilla Firefox and demonstrate the impact of our developed exploitation
primitives on the browser’s heap. In order to aid the researchers willing to
continue our work, we will also release our jemalloc debugging tool belt.

Heap Exploitation Abstraction by Example

— with Chariton Karamitas

In the first part of the talk we focused on presenting examples of exploiting heap
managers. Specifically, we talked about attacking the FreeBSD kernel allocator
(UMA), the Linux kernel allocator (SLUB), and the jemalloc userland allocator. In
the second part, we identified the common elements of these three allocators and
categorized them into the following:

End-user allocations

Allocation containers

Container groupings

Execution-specific (thread, CPU core) metadata

We then proceeded to make an argument that the value of abstracting heap
exploitation is in having a library of attack techniques, or primitives, that
can be reused on other allocators. We took the concept of weird machines, as
defined by Sergey Bratus and Halvar Flak, and applied it to heap managers.
We consider an allocator to be a deterministic automaton; metadata
corruption attacks can then be viewed as corruptions of the automaton’s
transition function. Application-specific attacks, like adjacent memory region
corruptions, can be viewed as manipulations of the automaton’s determinacy.

Protecting the Core: Kernel Exploitation Mitigations

— with Dimitrios Glynos

The exploitation of operating system kernel vulnerabilities has received a
great deal of attention lately. In userland most generic exploitation
approaches have been defeated by countermeasure technologies. Contrary to
userland protections, exploitation mitigation mechanisms for kernel memory
corruptions have not been widely adopted. Recently this has started to
change. Most operating system kernels have started to include
countermeasures against NULL page mappings, stack and heap corruptions, as
well as for other vulnerability classes. At the same time, researchers
have concentrated on developing ways to bypass certain kernel protections
on various operating systems. This presentation will describe in detail
the state-of-the-art in kernel exploitation mitigations adopted (or not)
by various operating systems (Windows, Linux, Mac OS X, FreeBSD) and
mobile platforms (iOS, Android). Moreover, it will also provide
approaches, notes, hints and references to existing work for bypassing
some of these kernel protections.

Binding the Daemon: FreeBSD Kernel Stack and Heap Exploitation

FreeBSD is widely accepted as one of the most reliable and performance-driven
operating systems currently available in both the open source and proprietary
worlds. While the exploitation of kernel vulnerabilities has been researched
in the context of the Windows and Linux operating systems, FreeBSD, and BSD
systems in general, have not received the same attention. This presentation
will initially examine the exploitation of kernel stack overflow vulnerabilities
on FreeBSD. The development process of a privilege escalation kernel stack
smashing exploit will be documented for vulnerability CVE-2008-3531. The second
part of the presentation will present a detailed security analysis of the
Universal Memory Allocator (UMA), the FreeBSD kernel’s memory allocator.
We will examine how UMA overflows can lead to arbitrary code execution in
the context of the latest stable FreeBSD kernel (8.0-RELEASE), and we will
develop an exploitation methodology for privilege escalation and kernel
continuation.